Hi Rowland, Thanks! On 3-12-2019 16:32, Rowland penny via samba wrote:> How about using the userAccountControl attribute ? > > Add 2 to it and the account becomes disabled and a disabled account > cannot authenticate to ADBut the accounts still needs to be able to logon to certain (a specific list of) workstations... A disabled account account can not logon at all. MJ
On 03/12/2019 15:45, lists via samba wrote:> Hi Rowland, > > Thanks! > > On 3-12-2019 16:32, Rowland penny via samba wrote: >> How about using the userAccountControl attribute ? >> >> Add 2 to it and the account becomes disabled and a disabled account >> cannot authenticate to AD > > But the accounts still needs to be able to logon to certain (a > specific list of) workstations... > > A disabled account account can not logon at all. > > MJ >From your initial post, it sounded like you were trying to allow a user to only login during set hours, but had found that the user could still use LDAP. In this case, disabling the user with a script, is probably the only way to do what you require, you can run the script from cron. Rowland
Why not. Create a group. Deny-PC-Logon Create GPO goto : Policies > Window Settings > Security Settings > Local Policies > User Rights Assignment Open the Deny log on locally policy add the group. Something like that, you get the idea.. Can work it out atm, to buzzy. But at least, MJ should know the idea now ;-) Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland penny via samba > Verzonden: dinsdag 3 december 2019 16:58 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] prevent ldap bind for specific user > > On 03/12/2019 15:45, lists via samba wrote: > > Hi Rowland, > > > > Thanks! > > > > On 3-12-2019 16:32, Rowland penny via samba wrote: > >> How about using the userAccountControl attribute ? > >> > >> Add 2 to it and the account becomes disabled and a > disabled account > >> cannot authenticate to AD > > > > But the accounts still needs to be able to logon to certain (a > > specific list of) workstations... > > > > A disabled account account can not logon at all. > > > > MJ > > > From your initial post, it sounded like you were trying to > allow a user > to only login during set hours, but had found that the user > could still > use LDAP. In this case, disabling the user with a script, is probably > the only way to do what you require, you can run the script from cron. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
On 3-12-2019 16:58, Rowland penny via samba wrote:> From your initial post, it sounded like you were trying to allow a user > to only login during set hours, but had found that the user could still > use LDAP. In this case, disabling the user with a script, is probably > the only way to do what you require, you can run the script from cron.Yes, the idea is: allow logins for some workstations, but prevent ldap binds at all times. What suddenly came to mind: we have configured our ldap-connected services do a search for users under a certain OU. When I move the user to a different OU, it is no longer found by ldap searches, and domain logons still work, whilst taking into account the configured restrictions. So, our problem solved :-) MJ